On Tue, Jan 26, 2021 at 11:32:37AM -0800, wuhaotsh--- via wrote:
> +
> +static void npcm7xx_smbus_read_byte_fifo(NPCM7xxSMBusState *s)
> +{
> + uint8_t received_bytes = NPCM7XX_SMBRXF_STS_RX_BYTES(s->rxf_sts);
> +
> + if (received_bytes == 0) {
> + npcm7xx_smbus_recv_fifo(s);
> + return;
> + }
> +
> + s->sda = s->rx_fifo[s->rx_cur];
> + s->rx_cur = (s->rx_cur + 1u) % NPCM7XX_SMBUS_FIFO_SIZE;
> + --s->rxf_sts;
This open-coded decrement seems a little risky. Are you sure in every
case that s->rxf_sts > 0? There's no way what's running in the VM can
game this and cause a buffer overrun? One caller to this function seems
to protect against this, and another does not.
s->rxf_sts is uint8_t so it's guaranteed to be >=0.
In the case s->rxf_sts == 0, NPCM7XX_SMBRXF_STS_RX_BYTES(s->rxf_sts) is also 0, so it'll take the if-branch and return without running --s->rxf_sts.
I'll probably add "g_assert(s->rxf_sts > 0)" to clarify.
Other than this, I didn't see any issues with this patch.
-corey